How we use your information

The purpose of this guidance is to inform you of the way in which Surrey Heartlands use information (including personal data) about you.

The guidance on this webpage explains:

  • who we are and what we do
  • the types of information we hold about people
  • how we use this information and why we need to do this
  • who we may share your information with
  • how you can object to the way we use information or complain about this
  • how you can access a copy of the information we hold about you
  • what other rights you may have in relation to this information
  • how we keep your information secure and confidential
  • where to go if you require further information.

This guidance applies to all individuals whose information is used by Surrey Heartlands; including local NHS service users, our staff and suppliers, and visitors to our offices.

This information is known as a ‘Privacy Notice’ or ‘Fair Processing Notice’ and it is a legal obligation under data protection legislation that we provide you with this.

  1. Privacy notice: NHS Surrey Heartlands ICB The purpose of this notice is to inform you of the way in which we, NHS Surrey Heartlands Integrated Care Board (the ICB), use information (including personal data) about you.
  2. Privacy notice: Referral Support Service The purpose of this notice is to inform you of the way in which NHS Surrey Heartlands Integrated Care Board (ICB) uses information (including personal data) about you when we are providing Referral Support Services (RSS) for GP Practices.

Covid-19 and your information

This supplementary Privacy Notice describes how Surrey Heartlands may use your information to protect you and others during the Covid-19 outbreak.

Privacy notice: Covid-19 and your information

Surrey Vaccination Team (SVOC) to provide administration support for vaccination of practice patients

NHS Surrey Heartlands ICB are supporting eligible patients to access the right provider to administer their Covid-19 vaccination where their registered GP Practice will not be providing this service.

The transparency information below tells you what to expect us to do with your personal information when you contact us to use the vaccination service.

  • What information is collected:  minimum personal data will be required to signpost to the relevant provider to book in a vaccine appointment:

    • Registered practice name, patient name, DOB and whether or not you consider yourself to be housebound

  • Lawful basis for processing this data:  The Health and Care Act 2022 gives the ICB duties to undertake activities such as commissioning arrangements and the duty as to improvement in quality of services. Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:

    • Personal data - 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    • Special category data - 9(2)(h) processing is necessary for the purposes of … medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

  • Who this data will be shared with:  the data you provide us to access a Covid-19 vaccination provider will only be shared with your registered GP Practice where required.

  • How long this data will be held for: Surrey Heartlands ICB will only use the personal data you provide temporarily to signpost you to the relevant vaccination provider. Once complete, the data will be securely deleted.

Information Governance and Subject Access Requests

Information Governance

Information Governance provides a consistent way for employees to deal with the many different standards and legal rules that apply to information handling.

This includes the Data Protection Act (DPA) 2018 - a United Kingdom Act of Parliament that updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR). Therefore GDPR and the Data Protection Act 2018 should be read side by side.

Subject Access Request

Individuals have the right to access information that Surrey Heartlands holds about them by making a Subject Access Request (SAR).

The GDPR has removed the fees that could previously be charged for SARs and reduced the amount of time that organisations have to respond. This right applies to all individuals including staff, employees of other organisations, service users, visitors to offices, and attendees at events.

Each NHS organisation holds their own records and we can only supply Surrey Heartlands records. If Surrey Heartlands holds the data requested and it is not legally exempt from disclosure, the information must be supplied within one month (though this can be extended by up to a further two months in some circumstances).

You can request access to information about you that we hold by contacting Surrey Heartlands Information Governance Team.

NHS national data opt-out programme - your data matters to the NHS

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments.

In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.

You can choose whether your confidential patient information is used for research and planning.

Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. A range of guidance for individuals and organisations is available via their website: ico.org